From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Fri, 12 May 2023 08:48:25 +0000 (+0300)
Subject: lib-oauth2: Do not send empty client_id or client_secret
X-Git-Tag: 2.3.21~19
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f3e85d8f512f7acbf1b5568ce9a8eee7aa807940;p=thirdparty%2Fdovecot%2Fcore.git

lib-oauth2: Do not send empty client_id or client_secret
---

diff --git a/src/lib-oauth2/oauth2-request.c b/src/lib-oauth2/oauth2-request.c
index 1f97295373..96def56fc8 100644
--- a/src/lib-oauth2/oauth2-request.c
+++ b/src/lib-oauth2/oauth2-request.c
@@ -286,10 +286,14 @@ oauth2_introspection_start(const struct oauth2_settings *set,
 		enc = t_str_new(64);
 		str_append(enc, set->introspection_url);
 		http_url_escape_param(enc, input->token);
-		str_append(enc, "&client_id=");
-		http_url_escape_param(enc, set->client_id);
-		str_append(enc, "&client_secret=");
-		http_url_escape_param(enc, set->client_secret);
+		if (*set->client_id != '\0') {
+			str_append(enc, "&client_id=");
+			http_url_escape_param(enc, set->client_id);
+		}
+		if (*set->client_secret != '\0') {
+			str_append(enc, "&client_secret=");
+			http_url_escape_param(enc, set->client_secret);
+		}
 		url = str_c(enc);
 		method = "GET";
 		break;
@@ -345,10 +349,14 @@ oauth2_passwd_grant_start(const struct oauth2_settings *set,
 	http_url_escape_param(payload, username);
 	str_append(payload, "&password=");
 	http_url_escape_param(payload, password);
-	str_append(payload, "&client_id=");
-	http_url_escape_param(payload, set->client_id);
-	str_append(payload, "&client_secret=");
-	http_url_escape_param(payload, set->client_secret);
+	if (*set->client_id != '\0') {
+		str_append(payload, "&client_id=");
+		http_url_escape_param(payload, set->client_id);
+	}
+	if (*set->client_secret != '\0') {
+		str_append(payload, "&client_secret=");
+		http_url_escape_param(payload, set->client_secret);
+	}
 	if (set->scope[0] != '\0') {
 		str_append(payload, "&scope=");
 		http_url_escape_param(payload, set->scope);